---
title: Azure Container Instances Worker Guide
---

## Why use ACI for flow run execution?

ACI (Azure Container Instances) is a fully managed compute platform that streamlines running your Prefect flows on scalable, on-demand infrastructure on Azure.

## Prerequisites

Before starting this guide, make sure you have:

- An Azure account and user permissions for provisioning resource groups and container instances.
- The `azure` CLI installed on your local machine. You can follow Microsoft's [installation guide](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli).
- Docker installed on your local machine.


## Step 1. Create a resource group

Azure resource groups serve as containers for managing groupings of Azure resources.

Replace `<resource-group-name>` with the name of your choosing, and `<location>` with a valid Azure location name, such as`eastus`.

```bash
export RG_NAME=<resource-group-name> && \
az group create --name $RG_NAME --location <location>
```

Throughout the rest of the guide, we'll need to refer to the **scope** of the created resource group, which is a string describing where the resource group lives in the hierarchy of your Azure account. To save the scope of your resource group as an environment variable, run the following command:

```bash
RG_SCOPE=$(az group show --name $RG_NAME --query id --output tsv)
```

You can check that the scope is correct before moving on by running `echo $RG_SCOPE` in your terminal. It should be formatted as follows:

```
/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>
```

## Step 2. Prepare ACI permissions

In order for the worker to create, monitor, and delete the other container instances in which flows will run, we'll need to create a **custom role** and an **identity**, and then affiliate that role to the identity with a **role assignment**. When we start our worker, we'll assign that identity to the container instance it's running in.

### 1. Create a role

The custom `Container Instances Contributor` role has all the permissions your worker will need to run flows in other container instances. Create it by running the following command:

```bash
az role definition create --role-definition '{
  "Name": "Container Instances Contributor",
  "IsCustom": true,
  "Description": "Can create, delete, and monitor container instances.",
  "Actions": [
    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
    "Microsoft.Resources/deployments/*",
    "Microsoft.ContainerInstance/containerGroups/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    '"\"$RG_SCOPE\""'
  ]
}'
```

### 2. Create an identity

Create a user-managed identity with the following command, replacing `<identity-name>` with the name you'd like to use for the identity:

```bash
export IDENTITY_NAME=<identity_name> && \
az identity create -g $RG_NAME -n $IDENTITY_NAME
```

We'll also need to save the principal ID and full object ID of the identity for the role assignment and container creation steps, respectively:

```bash
IDENTITY_PRINCIPAL_ID=$(az identity list --query "[?name=='$IDENTITY_NAME'].principalId" --output tsv) && \
IDENTITY_ID=$(az identity list --query "[?name=='$IDENTITY_NAME'].id" --output tsv)
```

### 3. Assign roles to the identity

Now let's assign the `Container Instances Contributor` role we created earlier to the new identity:

```bash
az role assignment create \
    --assignee $IDENTITY_PRINCIPAL_ID \
    --role "Container Instances Contributor" \
    --scope $RG_SCOPE
```

Since we'll be using ACR to host a custom Docker image containing a Prefect flow later in the guide, let's also assign the built in `AcrPull` role to the identity:

```bash
az role assignment create \
    --assignee $IDENTITY_PRINCIPAL_ID \
    --role "AcrPull" \
    --scope $RG_SCOPE
```

## Step 3. Create the worker container instance

Before running this command, set your `PREFECT_API_URL` and `PREFECT_API_KEY` as environment variables:

```bash
export PREFECT_API_URL=<PREFECT_API_URL_HERE> PREFECT_API_KEY=<PREFECT_API_KEY_HERE>
```

Running the following command will create a container instance in your Azure resource group that will start a Prefect ACI worker. If there is not already a work pool in Prefect with the name you chose, a work pool will also be created.

Replace `<work-pool-name>` with the name of the ACI work pool you want to create in Prefect. Here we're using the work pool name as the name of the container instance in Azure as well, but you may name it something else if you prefer.

```bash
az container create \
    --name <work-pool-name> \
    --resource-group $RG_NAME \
    --assign-identity $IDENTITY_ID \
    --image "prefecthq/prefect:3-python3.12" \
    --secure-environment-variables PREFECT_API_URL=$PREFECT_API_URL PREFECT_API_KEY=$PREFECT_API_KEY \
    --command-line "/bin/bash -c 'pip install prefect-azure && prefect worker start --pool <work-pool-name> --type azure-container-instance'" 
```

This container instance uses default networking and security settings. For advanced configuration, refer the `az container create` [CLI reference](https://learn.microsoft.com/en-us/cli/azure/container?view=azure-cli-latest#az-container-create).

## Step 4. Create an ACR registry

In order to build and push images containing flow code to Azure, we'll need a container registry. Create one with the following command, replacing `<registry-name>` with the registry name of your choosing:

```bash
export REGISTRY_NAME=<registry-name> && \
az acr create --resource-group $RG_NAME \
  --name <registry-name> --sku Basic
```

## Step 5. Update your ACI work pool configuration

Once your work pool is created, navigate to the Edit page of your ACI work pool. You will need to update the following fields:

### Identities

This will be your `IDENTITY_ID`. You can get it from your terminal by running `echo $IDENTITY_ID`. When adding it to your work pool, it should be formatted as a JSON array:

```
["/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>"]
```

![Configuring an ACI work pool's identities.](/images/integrations/aci-worker-identities.png)

### ACRManagedIdentity

ACRManagedIdentity is required for your flow code containers to be pulled from ACR. It consists of the following:

- Identity: the same `IDENTITY_ID` as above, as a string
```
/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>
```
- Registry URL: your `<registry-name>`, followed by `.azurecr.io`
```
<registry-name>.azurecr.io
```

![Configuring an ACI work pool's ACR Managed Identity.](/images/integrations/aci-worker-acridentity.png)

### Subscription ID and resource group name

Both the subscription ID and resource group name can be found in the `RG_SCOPE` environment variable created earlier in the guide. View their values by running `echo $RG_SCOPE`:

```
/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>
```

![Configuring an ACI work pool.](/images/integrations/aci-worker-subscription.png)

Then click Save.

## Step 6. Pick up a flow run with your new worker

This guide uses ACR to store a Docker image containing your flow code. Write a flow, then deploy it using `flow.deploy()`, which will copy flow code into a Docker image and push that image to an ACR registry.

### 1. Log in to ACR

Use the following commands to log in to ACR:

```
TOKEN=$(az acr login --name $REGISTRY_NAME --expose-token --output tsv --query accessToken)
```

```
docker login $REGISTRY_NAME.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password-stdin <<< $TOKEN
```


### 2. Write and deploy a simple test flow

Create and run the following script to deploy your flow. Be sure to replace `<registry-name>` and `<work-pool-name>` with the appropriate values.

`my_flow.py`

```python
from prefect import flow
from prefect.logging import get_run_logger
from prefect.docker import DockerImage

@flow
def my_flow():
    logger = get_run_logger()
    logger.info("Hello from ACI!")

if __name__ == "__main__":
    my_flow.deploy(
        name="aci-deployment",
        image=DockerImage(
            name="<registry-name>.azurecr.io/example:latest",
            platform="linux/amd64",
        ),
        work_pool_name="<work-pool-name>",
    )
```

### 3. Find the deployment in the UI and click the **Quick Run** button!
